July 2004

[July 05, 2004] "An Approach to Extract RBAC Models from BPEL4WS Processes." By Jan Mendling, Mark Strembeck, Gerald Stermsek, and Gustaf Neumann (Department of Information Systems, New Media Lab, Vienna University of Economics and BA, Austria). Presented at the Second International Workshop on Distributed and Mobile Collaboration (DMC 2004), June 14, 2004. Published in Proceedings of the Thirteenth IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE 2004), Modena, Italy). 6 pages (with 23 references). "The Business Process Execution Language for Web Services (BPEL) has become the defacto standard for Web Service composition. Yet, it does not address security aspects. This paper is concerned with access control for BPEL based processes. We present an approach to integrate Role-Based Access Control (RBAC) and BPEL on the meta-model level. Moreover, we show that such an integration can be used to automate steps of the role engineering process. In particular, we extract RBAC models from BPEL processes and present an XSLT converter that transforms BPEL code to the XML import format of the xoRBAC software component. Our work is motivated by two main facets. First, BPEL does not address access control measures although access control is an important and integral aspect of business processes. Second, role engineering is a time-consuming task and can be made more efficient through an integration with business process modeling. We use the mappings between RBAC and BPEL to automate steps of the scenario-driven role engineering process presented in A Scenario-driveen Role Engineering Process for Functional RBAC Roles (2002)... With our approach we aim to enhance the security features of Business Process Management Systems that operate via Web Services. Moreover, our approach provides for more efficient role engineering as it automates steps of the scenario-driven role engineering process. Finally, as RBAC and process models are highly interrelated, automation in role engineering also facilitates consistency between the deployed business processes and corresponding RBAC policies. In our future work we implement an RBAC-aware BPEL engine that reflects the findings of this paper. In particular, the implementation will build on an integrated metamodel of BPEL and RBAC. Another interesting aspect for future work is the continued integration of role engineering activities with BPEL-based processes..." See: (1) "Business Process Execution Language for Web Services (BPEL4WS)"; (2) OASIS Web Services Business Process Execution Language TC web site. [cache]

[July 02, 2004] "Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0." Edited by Frederick Hirsch (Nokia). Prepared by members of the OASIS Security Services Technical Committee. Working Draft 4. 2-July-2004. Document identifier: 'sstc-saml-sec-consider-2.0-draft-04'. 32 pages. "Security and privacy must be addressed in a systemic manner, considering human issues such as social engineering attacks, policy issues, key management and trust management, secure implementation and other factors outside the scope of this document. Security technical solutions have a cost, so requirements and policy alternatives must also be considered, as must legal and regulatory requirements. This non-normative document summarizes general security issues and approaches as well as specific threats and countermeasures for the use of SAML assertions, protocols, bindings and profiles in a secure manner that maintains privacy. Normative requirements are specified in the normative SAML specifications... SAML includes the ability to make statements about the attributes and authorizations of authenticated entities. There are very many common situations in which the information carried in these statements is something that one or more of the parties to a communication would desire to keep accessible to as restricted as possible a set of entities. Statements of medical or financial attributes are simple examples of such cases. Many countries and jurisdictions have laws and regulations regarding privacy and these should be considered when deploying a SAML based system. A more extensive discussion of the legal issues related to privacy and best practices related to privacy may be found in the Liberty Privacy and Security Best Practices document. Parties making statements, issuing assertions, conveying assertions, and consuming assertions must be aware of these potential privacy concerns and should attempt to address them in their implementations of SAML-aware systems... The intent in this document is to provide information to architects, implementors, and reviewers of SAML-based systems about the following: (1) the privacy issues to be considered and how SAML architecture addresses these issues; (2) the threats, and thus security risks, to which a SAML-based system is subject; (3) the security risks the SAML architecture addresses, and how it does so; (4) the security risks it does not address; (5) recommendations for countermeasures that mitigate those security risks..." See: (1) OASIS Security Services TC web site; (2) "Security Assertion Markup Language (SAML)." [source PDF]

[July 01, 2004] "FWSI Functional Elements Requirements." Edited by Tan Puay Siew (Singapore Institute of Manufacturing Technology, SIMTech). Contributions by: Ang Chai Hong, Chan Lai Peng, Cheng Jason, Cheng Yushi, Dilip Kumar Limbu, Wu Yingzi, SIMTech Xu Xingjian (SIMTech). Working Draft of the Version 01a, July 01, 2004. Document identifier: 'FWSI-FESC-Requirements-01a.doc'. 25 pages. OASIS Framework for Web Services Implementation Technical Committee, FWSI Functional Elements SC. "The ability to provide robust implementations is a very important aspect to create high quality Web Service-enabled applications and to accelerate the adoption of Web Services. The Framework for Web Services Implementation (FWSI) TC aims to enable robust implementations by defining a practical and extensible methodology consisting of implementation processes and common functional elements that practitioners can adopt to create high quality Web Services systems without reinventing them for each implementation. This document serves as a supporting document towards the identification of common functional elements, which in turn will be detailed in the Functional Elements Specification. In this document, aspects pertaining to enabling a robust Web Service-enabled application are discussed and the functional requirements arising out of these aspects are detailed... The purpose of OASIS Framework for Web Services Implementation (FWSI) Technical Committee (TC) is to facilitate implementation of robust Web Services by defining a practical and extensible methodology consisting of implementation processes and common functional elements that practitioners can adopt to create high quality Web Services systems without re-inventing them for each implementation. It aims to solve the problem of the slow adoption of Web Services due to a lack of good Web Services methodologies for implementation, cum a lack of understanding and confidence in solutions that have the necessary components to reliably implement Web Service-enabled applications. One of the FWSI TC's deliverables is the Functional Elements Specification. This Specification specifies a set of functional elements that practical implementation of Web Services-based systems will require. A Functional Element (FE) is defined as a building block representing common reusable functionalities for Web Service-enabled implementations, i.e., from an application Point-Of-View. These FEs are expected to be implemented as reusable components, with Web Services capabilities where appropriate, and to be the foundation for practitioners to instantiate into a technical architecture. The implementations of these FEs are further supported by another complementary work that is also from the FWSI TC, the Web Services Implementation Methodology (WSIM). As such, the TC hopes that through the implementations of these FEs, robust Web Service-enabled applications can be constructed quickly and deployed in a rapid manner... This document serves as a supporting document towards the identification of common functional elements, which in turn will be detailed in the Functional Elements Specification. It discusses the aspects pertaining to enabling a robust web service-enabled application from an application Point-Of-View and also detailed the functional requirements arising out of these aspects. Presently, the requirements are categorised into four main areas; namely Management, Process, Delivery and Security..." [cache .DOC]

[July 01, 2004] "Trust Negotiations: Concepts, Systems, and Languages." By Elisa Bertino (Purdue University), Elena Ferrari (University of Insubria at Como, Italy), and Anna Cinzia Squicciarini (University of Milan, Italy). In IEEE Computing in Science and Engineering Volume 6, Number 4 (July/August 2004), pages 27-34. "Trust negotiation is a promising approach for establishing trust in open systems such as the Internet, where sensitive interactions sometimes occur among entities with no prior knowledge of each other. This article provides a model for trust negotiation systems and delineate the features of ideal trust negotiation systems... A TN (trust negotiation) consists of a bilateral disclosure of digital credentials; it represents statements certified by given entities who verify the properties of their holders. Trust is thus incrementally built by iteratively disclosing digital credentials according to ad hoc resourcesnamely, disclosure policies... TN policy languages are a set of syntactic constructs (for example, credentials and policies) and their associated semantics that encode security information to be exchanged during negotiations. Good TN languages should thus be able to simplify credential specification and express a range of protection requirements through specification of flexible disclosure policies. The dimensions we have identified to reach these goals deal with language expressiveness and semantics: . Well-defined semantics; Monotonicity; Credential combination; Authentication; Constraints on property values; Intercredential constraints; Sensitive policy protection; Unified formalism and use of interoperable languages... Until now, the best-known trust-management system was Keynote, designed to work for various large- and small-scale Internet-based applications; but Keynote policies do not handle credentials as a means of establishing trust, mainly because the language was intended for delegation authority... The Trust Establishment (TE) Project at Haifa Research Lab has developed a tool for enabling trust relationships between strangers based on public-key certificates; a key element of the system is a Trust Policy Language (TPL), specified using XML... The Internet Security Research Lab (ISRL) at Brigham Young University is an active research center in trust management; its TrustBuilder system currently represents one of the most significant proposals in the negotiation research area... We believe that even though current TN systems are comprehensive in terms of the functions they support, a strong need exists for new research in this area to lead the development of next-generation TN systems." Compare: "Trust Networks in a Web Services World," by Paul Madsen (O'Reilly WebServices.xml.com, May 26, 2004).

[July 01, 2004] "Trust-X: A Peer-to-Peer Framework for Trust Establishment." By Elisa Bertino (Purdue University), Elena Ferrari (University of Insubria at Como, Italy), and Anna Cinzia Squicciarini (University of Milan, Italy). In IEEE Transactions on Knowledge and Data Engineering Volume 16, Number 7 (July 2004), pages 827-842. "In this paper we present Trust-X, a comprehensive XML-based framework for trust negotiations, specifically conceived for a peer-to-peer environment. Trust negotiation is a promising approach for establishing trust in open systems like the Internet, where sensitive interactions may often occur between entities at first contact, with no prior knowledge of each other. The framework we propose takes into account all aspects related to negotiations, from the specification of the profiles and policies of the involved parties to the selection of the best strategy to succeed in the negotiation. presents a number of innovative features, such as the support for protection of sensitive policies, the use of trust tickets to speed up the negotiation, and the support of different strategies to carry on a negotiation. In this paper, besides presenting the language to encode security information, we present the system architecture and algorithms according to which negotiations can take place... X-TNL is the XML-based language we have developed for specifying Trust-X certificates and disclosure policies. Expressing credentials and security policies using XML has several advantages. First, the protection of Web data and their security related information is uniform, in that credentials and policies are XML documents and, thus, can be protected using the same mechanisms developed for the protection of conventional XML documents. Furthermore, the use of an XML formalism for specifying credentials facilitates credential submission and distribution, as well as their analysis and verification by use of a standard query language such as XQuery... Future work includes the extension of X-TNL along several directions such as the possibility of disclosing only portions of a credential during the negotiation process. This will allows us to support a fine-grained protection of the elements of a credential. Another research direction we are currently working on is the compliance with P3P policies. Additionally, we are developing techniques for credential chains discovery, for recovery upon negotiation failures, and for implementing more articulated similarity measures between trust sequences. Finally, an implementation of Trust-X is in progress on a platform based on Java and the Oracle DBMS. Such protoype systems will allow us to develop a systematic benchmark to assess the system performance under a variety of conditions..." See also: "Trust-X: An XML Framework for Trust Negotiations," presented at CMS 2003 (October 02-03, Turin, Italy).

Earlier Articles June 2004

[June 30, 2004] "Tags for Identifying Languages." By Addison Phillips (Editor, webMethods, Inc.) and Mark Davis (IBM). IETF Network Working Group, Internet Draft. Reference: 'draft-phillips-langtags-04'. June 24, 2004, expires December 23, 2004. 42 pages. "This document describes the structure, content, construction, and semantics of language tags for use in cases where it is desirable to indicate the language used in an information object. It also describes how to register values for use in language tags and a construct for matching such language tags, including user defined extensions for private interchange. This document replaces RFC 3066 (which replaced RFC 1766)... The language tag is composed of one or more parts: A primary language subtag and a (possibly empty) series of subsequent subtags. Subtags are distinguished by their length, position in the subtag sequence, and content, so that each type of subtag can be recognized solely by these features. This makes it possible to construct a parser that can extract and assign some semantic information to the subtags, even if specific subtag values are not recognized. Thus a parser need not have an up-to-date copy of the registered subtag values to perform most searching and matching operations..." Note: Mark Davis said in v04 "we provide for way for programs to really validate IDs by providing a complete list of all valid subtags... The most substantive issue I'd like to get feedback on is that we still allow in this draft subtags of up to 15 long (for readability), whereas RFC 3066 has a maximum of 8. The question is whether that would cause enough of a problem for older parsers that we should pull back to a maximum of 8..." See also editor's draft HTML; ephemeral IETF URL: http://www.ietf.org/internet-drafts/draft-phillips-langtags-04.txt. General references in: (1) the news story: "Tags for Identifying Languages: IESG Issues Last Call Review for IETF BCP"; (2) "Language Identifiers in the Markup Context."

[June 30, 2004] "Managing XML Data: An Abridged Overview." By Juliana Freire (Oregon Health & Science University; WWW) and Michael Benedikt (Bell Laboratories, Lucent Technologies; WWW). In IEEEComputing in Science and Engineering (CISE) Volume 6, Number 4 (July/August 2004), pages 12-19. "XML's flexibility makes it a natural format for both exchanging and integrating data from diverse data sources. In this survey, the authors give an overview of issues in managing XML data, discuss existing solutions, and outline the current technology's open problems and limitations. The objective is to clarify potential issues that must be considered when building XML-based applicationsin particular, XML solutions' benefits as well as possible pitfalls. The intent is not to give an exhaustive review of XML data-management (XDM) literature, XML standards, or a detailed study of commercial products, but to provide an overview of a representative subset to illustrate how some XDM problems are addressed... While standards have been defined for basic XML technology, they are lacking in XDM. No standards exist for defining either publishing or storage mappings, and database vendors have adopted proprietary solutions for both problems that are often limited (for example, not all mapping schemes can be expressed). Efforts are underway in the research community to find a universal mapping framework that encompasses all mapping strategies. ShreX is free system that provides the first comprehensive solution to the relational storage of XML data: it supports a wide range of XML-to-relational mapping strategies, provides generic query translation and document-shredding capabilities, and works with virtually any RDBMS... Although the research community has designed benchmarks such as XBench and XMark, to date, there has been no comprehensive evaluation and performance study of different XDM tools and systems. Hence, it is not clear currently how the various XDM solutions perform, or how scalable they are. In fact, a recent study of XPath evaluation performance uncovered serious inefficiencies in popular XPath processors... Although existing solutions are evolving, and XML support in commercial products are improving at a fast pace, because XML is so flexible and extensible, we cannot expect to find out-of-the-box XDM solutions for all different applications. Due to the evolving standards, immaturity of the existing tools and the broad scope of the problem, selecting the right system or combination of systems that have the right set of features and meet the performance requirements of a given XML-based application is a nontrivial task. It is thus important that users of this technology be aware of its limitations and avoid known pitfalls..." [abstract/biblio]

[June 30, 2004] "Copyright and Creativity." Editorial and book review by Michael Lesk (Rutgers University). In IEEE Security and Privacy Volume 2, Number 3 (May-June 2004), pages 76-78. "In his new book Free Culture (Penguin Press, 2004), Larry Lessig of Stanford Law School presents an excellent explanation of copyright law's effect on creativity and of large corporations' effect on copyright law. Lessig is well known as the founder of Creative Commons, the opponent of copyright term extension in the 2002 Eldred v. Ashcroft suit before the US Supreme Court, and a leading advocate of a larger public domain. Free Culture covers the history of copyright and its expansion from books to music, pictures, and videos, as well as its extension from 28 to 95 years. The book is remarkable because it presents both a factual argument and proposed solutions. Lessig documents the concentration of media ownership and the expansion of intellectual property's protected area, which work to put increasingly more creative output in the hands of fewer organizations. Even cliché phrases can now 'belong' to somebody: Rupert Murdoch's Fox News has tried to claim control of the words fair and balanced, for example, and Donald Trump wants to trademark you're fired... What can you say if you can't allude to anything that's gone before without stepping on the toes of someone who can afford a bigger lawsuit than you can? [...] There is a great deal more in this book — about the Internet, about history, and about our culture. I recommend it to everyone interested in public policy about copyright, downloading, and the deeper questions of how best to encourage a creative society..." See: (1) the online print version, available free under a Creative Commons license; (2) the online audio version; (3) "Patents and Open Standards." [cache PDF]

[June 30, 2004] "Nokia Backs Eclipse for Building Apps." By Darryl K. Taft. In eWEEK (June 30, 2004). "Nokia has extended its support for Java development by announcing support of the Eclipse platform for developers building applications to run on its phones and devices. The Helsinki, Finland-based mobile communications giant announced support for the open-source development platform Tuesday at the JavaOne Conference... Support for the Eclipse integrated development environment (IDE) is included in new versions of the Nokia Developers Suite for J2ME (Java 2 Micro Edition), version 2.2, and the Nokia Mobile Server Services SDK; the tools are now available for free to members of the Forum Nokia Pro developers program... The Nokia Developer's Suite (NDS) for J2ME provides developers with utilities for creating and deploying MIDP (Mobile Information Device Profile) 1.0 and MIDP 2.0 applications. It can be used either alone or as an integrated plug-in to Borland Software Corp.'s JBuilder, IBM Corp.'s WebSphere, Sun Microsystems Inc.'s Sun ONE Studio, and now Eclipse... Nokia also offers a suite of server-based Java components that now support Eclipse in the Mobile Server Services SDK, which enables the creation of server-side mobile messaging, location presence solutions..." See also: (1) the Nokia announcement; (2) the Eclipse.org website for the Eclipse Foundation.

[June 29, 2004] "Sun's Kitty Hawk Aims High." By Martin LaMonica. In CNET News.com (June 29, 2004). "Sun Microsystems detailed this week a plan called Project Kitty Hawk to redesign its back-end corporate Java software to be more modular and cost-effective. At the JavaOne conference Monday, the company said it will rework its Java Enterprise System server software suite and Java Studio programming tools to simplify the process of building a services-oriented architecture, or SOA, a modular system design meant to reduce the cost of running computing systems. With a SOA, developers design applications so they can reuse a single 'service,' such as a product price check, for different applications. The changes to Sun's software, which Sun will be rolling out over the next two years, will be coupled with consulting services, including a 'SOA Readiness Assessment' program. Sun said the product enhancements of Project Kitty Hawk will make it easier for software developers to write Web services applications using Java. For example, a product under development, code-named Project Disco, will give programmers a visual tool for assembling applications using a Web services language called Business Process Execution Language for automating business processes, according to people familiar with Sun's plans. Project Kitty Hawk will let developers 'find, assemble and deliver applications based on a services-oriented architecture using Java Web services,' said Joe Keller, Sun's vice president of marketing for Java Web services and developer tools. For example, Keller said Sun will introduce modeling based on the unified modeling language in the second version of Java Studio Enterprise, which will go into beta testing this summer and be available by the end of the year..." See details in the announcement: "Sun Launches Comprehensive Services-Oriented Architecture Initiative. Vision Leverages Company's Java Web Services Leadership and Helps Customers Address SOA Requirements Today. New Services Offering for SOA Readiness Assessment Now Available."

[June 29, 2004] "McNealy: Sun, Microsoft To Unveil Phase One of Partnership in Late Summer. Directory Interoperability for Single Sign-On Will Be Tackled First." By Elizabeth Montalbano. In CRN (June 29, 2004). "Sun and Microsoft plan to detail Phase One of their historic partnership in late summer, Sun Chairman and CEO Scott McNealy said Tuesday at JavaOne. The first phase of the partnership will be to 'solve single sign-on' and facilitate interoperability between the LDAP model of the directory and identity management products in Sun's Java Enterprise System and Microsoft ActiveDirectory, McNealy told attendees in his morning keynote at Sun's annual Java developer confab in San Francisco. Once Sun and Microsoft make their software interoperable, 'users can log into the network once without having to remember multiple passwords and have their authentication travel across software infrastructure from both Sun and Microsoft,' McNealy said. Applications that run on both systems also can take advantage of the same infrastructure for network identity. 'This should make for more efficient consumer and enterprise use,' he said. Enabling single sign-on for users across multiple Web sites, particularly for e-commerce users, has been a tricky issue. Sun and a group of partner companies initiated and supported the Liberty Alliance, which leverages the Security Assertion Markup Language (SAML) specification to enable single sign-on, while Microsoft for a time planned its own project, HailStorm, to collect user information and authenticate users across multiple sites. But users were uncomfortable with the idea of Microsoft owning all of their personal information, so HailStorm didn't fly as expected..." See: (1) "Security Assertion Markup Language (SAML)"; (2) "Liberty Alliance Specifications for Federated Network Identification and Authorization."

[June 28, 2004] "Apple's RSS Embrace Could Bolster Adoption." By Matt Hicks. In eWEEK (June 28, 2004). "By giving its blessing to XML syndication, Apple is joining the trend of browser makers embracing Web news feeds and potentially bringing the technology to the masses. Apple Computer Inc. CEO Steve Jobs on Monday previewed the company's next version of its Web browser, dubbed Safari RSS. RSS refers to the acronym for Really Simple Syndication, the major format for XML syndication. Apple's Web browser is neither the first nor the only one to support syndication feeds. Opera Software ASA introduced RSS support with its latest browser, Opera 7.50, released in May, and the Mozilla Foundation is planning a feature to bookmark feeds with its Firefox 1.0 release later this year. Safari RSS is scheduled to be available with Apple's next Mac OS X release, code-named Tiger, planned for the first half of 2005... Microsoft's Internet Explorer, with 94 percent market share, has no support for reading or aggregating RSS feeds, and company officials declined to discuss whether it is planning any future support. But the Redmond, Wash., company previously has indicated that Longhorn will include RSS aggregation. 'Ultimately, what matters is what Microsoft does with Internet Explorer,' said Dave Winer, the co-author of RSS, who expect Microsoft to eventually include RSS support in a range of products... Cupertino, Calif.-based Apple is using RSS as a blanket term for both various versions of the RSS format as well as the rival format, Atom, all of which it plans to support. Opera also is supporting various versions of RSS from 0.90 and higher, according to its Web site. Mozilla plans to support multiple versions of RSS and Atom... The browser makers are all taking various approaches to incorporating feeds into the browser. Opera, of Oslo, Norway, has added RSS support within its mail application, handling feeds like e-mail messages. The browser also can detect pages with feeds, and users can click a site's XML icon to automatically subscribe. Mozilla, based in Mountain View, Calif., plans to include its news feed support with the beta release of Firefox 1.0 in about six weeks, Goodger said. The new feature will let users save and organize feeds within the browser's bookmarks, which will display an updated list of feed items. Firefox also will display an icon or prompt to indicate that a Web page has an available feed, Goodger said..." General references in: (1) "RDF Site Summary" | "Really Simple Syndication" (RSS)"; (2) "Atom Publishing Format and Protocol."

[June 28, 2004] "Analysis of Interacting BPEL Web Services." By Xiang Fu, Tevfik Bultan, and Jianwen Su (Department of Computer Science, University of California, Santa Barbara, CA). Pages 621-630 (with 27 references) in Proceedings of the Thirteenth World Wide Web Conference (WWW 2004) held in New York City, May 17-22, 2004. "This paper presents a set of tools and techniques for analyzing interactions of composite web services which are specified in BPEL and communicate through asynchronous XML messages. We model the interactions of composite web services as conversations, the global sequence of messages exchanged by the web services. As opposed to earlier work, our tool-set handles rich data manipulation via XPath expressions. This allows us to verify designs at a more detailed level and check properties about message content. We present a framework where BPEL specifications of web services are translated to an intermediate representation, followed by the translation of the intermediate representation to a verification language. As an intermediate representation we use guarded automata augmented with unbounded queues for incoming messages, where the guards are expressed as XPath expressions. As the target verification language we use Promela, input language of the model checker SPIN. Since SPIN model checker is a finite-state verification tool we can only achieve partial verification by xing the sizes of the input queues in the translation. We propose the concept of synchronizability to address this problem. We show that if a composite web service is synchronizable, then its conversation set remains same when asynchronous communication is replaced with synchronous communication..." General references in "Business Process Execution Language for Web Services (BPEL4WS)."

[June 27, 2004] "Consensus Reached on EPC Gen 2." By Mark Roberti. In RFID Journal (June 24, 2004). "The Freedom and Global proposals for EPCglobal's UHF Gen 2 specification have been merged into a single submission, paving the way for a new EPC standard. The path to a consensus began in Chicago last week. Members of EPCglobal's Hardware Action Group, which is overseeing the process of creating a Gen 2 standard, held a two-day meeting, arranged by Zebra Technologies, at the Hotel Sofitel. At that meeting were representatives from companies supporting one or the other of the proposed specifications that were being considered for adoption. Backing the Global proposal were representatives from Intermec, Philips Semiconductors, Texas Instruments and 10 other companies; promoting the Freedom proposal were representatives from Alien Technology, Atmel and Matrics. Zebra was officially part of the Global proposal but also supported the Freedom proposal, which is why it played a role insetting up the meeting... After several long, intense meetings, leading RFID vendors supporting two rival proposals for a second-generation UHF Electronic Product Code standard have agreed to a consensus proposal. The agreement paves the way for EPCglobal, the nonprofit organization commercializing EPC technology, to create a global standard for tracking goods in the supply chain with UHF RFID tags carrying EPCs. One of the key sticking points between the two groups was their differing approaches to intellectual property (IP). The companies backing the Global proposal were insisting that companies contributing their IP to the specification should be compensated on a reasonable and nondiscriminatory basis. The backers of the Freedom proposal were saying they would contribute their IP to their specification royalty-free and they wanted others supporting their specification to do the same, which was unacceptable to Intermec and other members of the Global team. With both sides agreeing to remove the IP issue from the standards-establishing process, the teams began hashing through the technical differences between the two proposals...EPCglobal will issue a last-call working draft of the standard, and EPCglobal subscribers will have a chance to comment on the draft. Prototype tags and readers will be evaluated, and then in October, EPCglobal's board will formally ratify the draft and it will become a standard..." General references in: (1) "Physical Markup Language (PML) for Radio Frequency Identification (RFID)"; (2) "Radio Frequency Identification (RFID) Resources and Readings."

[June 27, 2004] "A First Look at the Kowari Triplestore." By Paul Ford. From XML.com (June 23, 2004). "Kowari is an open-sourced (Mozilla Public License) triplestore optimized for RDF storage, created by Tucana Technologies, and written entirely in Java 1.4.2. It began its life as the storage component of the Tucana Knowledge Server (TKS), Tucana's proprietary knowledge management suite, and remains under active development by Tucana. The 40+ meg download, and includes a host of open-sourced Java components (including Apache's SOAP implementation, the Jetty web server, and the Lucene search engine), a better name might be 'platypus'. In fairness, a 'Lite' version of the software is also available, at about 14 megs, which includes two *.jar files, one to run the server, and the other to run a console. This simplicity of installation and operation is quite welcome. Most of the available open-sourced triplestores currently require either compilation, or the installation of a relational database like PostgreSQL for persistence, or are reliant on a host programming language like Perl or Python. In contrast, Kowari's installation is a snap if your machine has Java 1.4 installed — download, unpack, and run. On launch, Kowari sets up a web server, on port 8080 (the port number can be configured), which contains a number of useful resources. A key component in Kowari's bag is a simple console app that allows for direct interaction with the server using Tucana's own SQL-like query language, iTQL. While most applications will end up calling the database via an external program, this easy install allows you to quickly get a feel for the product, and provides an easy way to perform common DBA-like tasks... Kowari is not for everyone: the architecture of the application is clearly focused on the server, and developers looking for an embeddable RDF store for desktop apps will likely want to look elsewhere, unless they are willing to add several megs to their applications. Kowari's dependence on Java is another possible sticking point for those developing tools using other frameworks. Documentation is brief and unfinished, but what's there is useful for the adventurous. Perhaps the most important caveat, however, is that Kowari lacks a security model. Tucana clearly expects security-minded customers to look into TKS, which provides full network-based authentication as part of its package..."

[June 27, 2004] "Eclipse to Pollinate BEA's Beehive." By By Darryl K. Taft. In eWEEK (June 27, 2004). "Although BEA Systems Inc. will not formally join the Eclipse Foundation, the company is moving closer to supporting the organization and its goals. At the JavaOne conference here this week, BEA, of San Jose, Calif., will announce a new Eclipse Foundation project called Pollinate that will feature Eclipse support for BEA's Beehive technology, which is the open-source version of BEA's WebLogic Workshop Java IDE (integrated development environment) framework... Pollinate is an open-source incubator project to create an Eclipse-based development environment and tool set that will integrate with Beehive, which BEA submitted to the Apache Foundation. Beehive is an open-source framework for building SOA (service-oriented architecture) and enterprise Java applications. Eclipse provides the development environment and Beehive provides the underlying application framework and run-time... When the Pollinate project is complete, Eclipse developers will be able to plug Pollinate components into Eclipse and bypass a lot of the complexity of Java development. A beta version of the Eclipse Pollinate software will be available later this year..." [According to the BEA Dev2Dev website description: "Beehive is an open-source software project designed to deliver a cross-container, ease-of-use programming model and application framework for J2EE- and SOA-based applications. Beehive includes support for JSR 175 metadata annotations, the Java controls framework for creating and consuming J2EE components, a simplified Web services programming framework, and the Struts-based Java Page Flow technology for creating Web-based user interfaces and applications. Project Beehive will run on Apache Tomcat, the reference implementation for Java Servlet engines. Beehive can help multitudes of Tomcat customers scale their applications by easily connecting to industry-leading infrastructures such as BEA WebLogic Platform. BEA WebLogic Server is the only J2EE-compliant server on which Beehive runs. However, we anticipate additional ports of Beehive will be created through the open-source development process. Beehive be open-sourced under the Apache License v2.0."]

[June 25, 2004] "Towards the Self-Annotating Web." By Philipp Cimiano and Siegfried Handschuh (Institute AIFB, University of Karlsruhe, Germany); Steffen Staab (Ontoprise GmbH). Pages 462-471 (with 28 references) in Proceedings of the Thirteenth World Wide Web Conference (WWW 2004) held in New York City, May 17-22, 2004. "The success of the Semantic Web depends on the availability of ontologies as well as on the proliferation of web pages annotated with metadata conforming to these ontologies. Thus, a crucial question is where to acquire these metadata. In this paper we propose PANKOW (Pattern-based Annotation through Knowledge on the Web), a method which employs an unsupervised, pattern-based approach to categorize instances with regard to an ontology. The approach is evaluated against the manual annotations of two human subjects. The approach is implemented in OntoMat, an annotation tool for the Semantic Web and shows very promising results... The approach is novel, combining the idea of using linguistic patterns to identify certain ontological relations as well as the idea of using the Web as a big corpus to overcome data sparseness problems. It is unsupervised as it does not rely on any training data annotated by hand and it is pattern-based in the sense that it makes use of linguistically motivated regular expressions to identify instance concept relations in text. The driving principle behind PANKOW is one of disambiguation by maximal evidence in the sense that for a given instance it proposes the concept with the maximal evidence derived from Web statistics. The approach thus bootstraps semantic annotations as it queries the Web for relevant explicit natural language descriptions of appropriate ontological relations... [Our approach] overcomes the burden of laborious manual annotation and it does not require the manual definition of an information extraction system or its training based on manually provided examples. It uses the implicit wisdom contained in the Web to propose annotations derived from counting Google hits of instantiated linguistic patterns. The results produced are comparable to state-of-the-art systems, whereas our approach is comparatively simple, effortless and intuitive to use to annotate the Web..."

[June 25, 2004] "Microsoft Submits Merged Sender ID E-mail Spec." By Gregg Keizer. From TechWeb News (June 25, 2004). "Microsoft finished blending its e-mail sender authentication scheme with the competing Sender Policy Framework (SPF) standard, and submitted the new specification to the Internet Engineering Task Force (IETF) for consideration. Last month, Microsoft announced that it had come to an agreement with Meng Weng Wong, the creator of SPF, to merge his specification with the Redmond, Wash.-based developer's lesser-known rival, dubbed Caller ID for E-mail. The new specification, called Sender ID, proposes that organizations publish information about their outgoing e-mail servers, particularly IP (Internet Protocol) addresses, in the Domain Name System (DNS) in XML. If adopted, Sender ID would serve as an e-mail authentication system that verifies the message actually originated with the purported address. 'Over half of the e-mail targeting our Hotmail customers today come from spoofed domains,' said Ryan Hamlin, general manager of Microsoft's anti-spam group. 'We are committed to taking this trick away from spammers.' All e-mail authentication schemes under consideration — including Yahoo's DomainKeys, which has also been submitted to the IETF — aim to shut down the use of spoofed, or forged, addresses, used by spammers to disguise the origin of junk mail. Spoofed addresses are also used by phishing scams, which pose as e-mail from legitimate organizations such as banks and credit card companies. Sender ID and DomainKeys both hope to put an end to spoofing by confirming the sender's actual domain, and thus boost the effectiveness of spam filters..." See other details in the news story: "IETF Releases Anti-Spam Sender ID Internet Draft Specification."

[June 24, 2004] "B2B Integration over the Internet with XML: RosettaNet Successes and Challenges." By Suresh Damodaran (Chief Technologist, RosettaNet, On loan from Sterling Commerce). Pages 188-195 (with 8 references) in Proceedings of the Thirteenth World Wide Web Conference (WWW 2004) held in New York City, May 17-22, 2004. "This paper provides an overview of RosettaNet technical standards and discusses the lessons learned from the standardization efforts, in particular, what works and what doesn't. This paper also describes the effort to increase automation of B2B software integration, and thereby to reduce cost... RosettaNet has brought standardization of business processes to the XML-based business information exchange over the Internet. The original goal of this standardization has been to reduce cost while allowing disparate trading partners to conduct electronic commerce in a mutually understood way — both syntactically and semantically. RosettaNet is continuing to further the goal of reducing the cost of implementation and execution of these business processes. As discussed in this paper, making the specification of the business processes more machine interpretable results in fewer manual hours spent in reading and interpreting RosettaNet PIPs. Increased automation further reduces errors and related costs. RosettaNet is currently working on the challenges to making the execution of the business processes more efficient. The goal of making automated B2B integration affordable and accessible to large numbers of small and medium-sized businesses is being addressed by the definition of a services framework, and by standardizing even more aspects of B2B integration..." General references in "RosettaNet." [cache]

[June 19, 2004] "Microsoft Research DRM Talk." By Cory Doctorow (Electronic Frontier Foundation). June 17, 2004. Text dedicated to the public domain, using a Creative Commons public domain dedication. This talk was originally given to Microsoft's Research Group and other interested parties from within the company at their Redmond offices on June 17, 2004. "Greetings fellow pirates! Arrrrr! I'm here today to talk to you about copyright, technology and DRM. I work for the Electronic Frontier Foundation on copyright stuff (mostly), and I live in London... Here's what I'm here to convince you of: (1) That DRM systems don't work; (2) That DRM systems are bad for society; (3) that DRM systems are bad for business; (4) That DRM systems are bad for artists; (5) That DRM is a bad business-move for MSFT... At the Broadcast Protection Discussion Group meetings where the Broadcast Flag was hammered out, the studios' position was, 'We'll take anyone's DRM except Microsoft's and Philips'.' When I met with UK broadcast wonks about the European version of the Broadcast Flag underway at the Digital Video Broadcasters' forum, they told me, 'Well, it's different in Europe: mostly they're worried that some American company like Microsoft will get their claws into European television.' American film studios didn't want the Japanese electronics companies to get a piece of the movie pie, so they fought the VCR. Today, everyone who makes movies agrees that they don't want to let you guys get between them and their customers. Sony didn't get permission. Neither should you. Go build the record player that can play everyone's records. Because if you don't do it, someone else will..." General references in "XML and Digital Rights Management (DRM)." Source: http://craphound.com/msftdrm.txt.

[June 16, 2004] "The Hill's Property Rights Showdown." By Declan McCullagh. In CNET News.com (June 16, 2004). "The Digital Millennium Copyright Act is under siege. For the first time since it was enacted in 1998, the DMCA has become the target of a large and growing number of critics seeking to defang the controversial law. The legislation says Americans aren't permitted to circumvent encryption guarding certain digital media products — even if the purpose is to make a backup copy of a computer program or DVD. On Tuesday, a new group called the Personal Technology Freedom Coalition is planning a press conference to reiterate its members' support for a proposal to repeal the portion of the DMCA that has drawn the most condemnation. Its organizers already have met with representatives of about 20 congressional offices, and they say the coalition includes key tech companies like Intel, Sun Microsystems, Gateway, and Philips Consumer Electronics North America. Rep. Rick Boucher, D-Va., introduced a bill called the Digital Media Consumers' Rights Act (HR 107). It would allow the circumvention of copy protection as long as no piracy is taking place. Boucher: 'Our intellectual-property laws have always been intentionally porous, and the porous nature of those laws, accommodating, for example, the Fair Use Doctrine, has enabled the society to have a right to use intellectual property in certain circumstances without having to obtain the permission in advance of the owner of the copyright... Many companies that primarily produce intellectual property oppose this [reform] measure. So does the Business Software Alliance, which is dominated by Microsoft. It is, some believe, sort of Microsoft's alternative voice in the nation's capital. The passage of the DMCA was the crown jewel of the legislative efforts of the content-creating community of the last two decades, because it was a dramatically blunt instrument. It criminalizes conduct that most people would believe should be innocent, such as circumventing technical protection in order to exercise a fair-use right..."

[June 16, 2004] "Extending Metadata Recognition: The Java Programming Language Metadata Facility (JSR 175) for J2SE 1.5 Foments Discussion at the ServerSide Symposium 2004." By Kito Mann. In JavaPro Magazine (June 16, 2004). "I attended Ted Neward's discussion on custom attributes in Java. Attributes are currently being developed as Java Specification Request (JSR) 175 and will be part of J2SE 1.5 ('Tiger'), which is scheduled for release later this year. Neward made a point of saying that all of this information hasn't yet been finalized, so take the contents herein with a grain of salt... Neward started the discussion by pointing out some early hacks in the Java language that could have been handled with attributes, most notably serialization [but we ended] end up with marker interfaces and about a million XML documents for Enterprise JavaBeans (EJBs), Java Data Objects (JDO), servlets, Java Management Extensions (JMX), Remote Method Invocation (RMI), and so on. JavaDoc comments are helpful too, especially for code generation (witness XDoclet), but they aren't included in bytecode, so they can't be interpreted at runtime or after compilation. The solution then is to allow us to support arbitrary annotations — metadata —for our classes, fields, methods, and so on. Metadata doesn't replace tools like XDoclet that generate code based on JavaDoc comments; rather, it's a feature that a future version of these tools might use instead of JavaDoc comments. In many ways, they formalize and extend some of the current usage of JavaDoc comments. Annotations are implemented as special classes that look like interfaces, and consequently have no implementation. Their goal is to provide additional information about your code, and that's it. Once you've defined an annotation, you can use it to declare additional information about your code at many different levels (package, type, field, method, parameter, and so on). You can also control when the annotations are available (source only, class file, or runtime), and whether or not they will be documented One key point is that JSR 175 defines how annotations work, not the specific annotations one can use. As time rolls on, the community will weave attributes throughout existing and future pieces of the Java platform, which is already evident in the proposed path of EJB 3.0. (EJB 3.0 uses attributes instead of deployment descriptors and interfaces), and the JCP is already developing annotations for Web services with JSR 181. There's no doubt that metadata is going to be a great addition to the Java platform, and that it will make life a lot more easier for everyday development, especially since it can vastly reduce the number of XML files we need to manage. Annotations will also be the mechanism of choice for Aspect-Oriented Programming (AOP) frameworks..." See also: (1) "JSR 175: A Metadata Facility for the Java Programming Language"; (2) the author's JavaServer Faces FAQ document.

[June 16, 2004] "application/saml+xml Media Type Registration." By Jeff Hodges (Sun Microsystems). IETF Network Working Group. Internet Draft. Reference: 'draft-hodges-saml-mediatype-00'. June 13, 2004, expires December 12, 2004. "The SAML specification sets, SAML V1.0 and SAML V1.1, are work products of the OASIS Security Services Technical Committee (SSTC). The SAML specifications define XML-based constructs with which one may make, and convey, security assertions. For example, one can assert that an authentication event pertaining to some subject has occured and convey said assertion to a relying party. This document defines a MIME media type 'application/saml+xml' for use with the XML serialization of SAML (Security Assertion Markup Language) assertions, or other SAML-defined objects..." General references in "Security Assertion Markup Language (SAML)."

[June 16, 2004] "The Atom Link Model." By Mark Pilgrim. From XML.com (June 16, 2004). "Atom is an emerging XML vocabulary and protocol for syndication and editing. Atom has a coherent linking model to express a number of different types of links. Atom borrows heavily from the 'link' markup element in HTML, although they are not identical. A central concept of Atom is the concept of the alternate link, sometimes called the 'permanent link' or 'permalink'. Every Atom feed, and every entry within every feed, must have an alternate link that points to the permanent location of that feed or entry. The terminology of calling it an 'alternate' link is borrowed from the HTML 'link' element, the specification of which states that an alternate link 'designates a substitute version for the document in which the link occurs'. At the feed level, the alternate link points to the home page of the site that the feed is syndicating. At the entry level, the alternate link points to the 'permalink' of that entry in some other format — most often HTML, although it can be any content type. This article explores several of the most common link types that are already deployed in Atom feeds today... Comment feeds: Many weblogs, community sites, and general purpose sites allow visitors to post comments on individual articles. This intersects Atom in two related ways. In Atom, a comment is represented like any other entry, and many publishers now generate comment feeds for individual articles. To make these per-article comment feeds easier to find and subscribe to, Atom has a link tag to point to an entry's associated comment feed..." General references in "Atom Publishing Format and Protocol."

[June 16, 2004] "Virtuoso Can Synchronize XML Data." By Yvonne l. Lee. In Software Development Times (June 15, 2004). "Database access vendor OpenLink Software Inc. has updated its Virtuoso 'universal server' by adding XML data syndication and the ability to synchronize with mobile devices. Virtuoso combines Web, database and application servers along with XML storage. As CEO and founder Kingsley Idehen described it, the product originated from the company's work providing ODBC, JDBC and ADO database connectivity drivers. 'We thought since we can already homogenize SQL data, why don't we use that same capability to present those data sources as XML documents?' he said. The new XML data synchronization in Virtuoso 3.5 makes it possible for organizations to create RSS data feeds. One use for this would be to create catalogs to which customers could subscribe, Idehen said. RSS, or Really Simple Syndication, is an increasingly popular format for publishing XML information over the Internet..." See the announcement: "OpenLink Releases Universal Server Platform. Virtuoso 3.5 Enables Organizations to Cost-Effectively Develop, Integrate, and Deploy SOA and Event-Driven Solutions."

[June 10, 2004] "Federation Acceleration." By Dan Farber. In ZDNet Tech Update (June 08, 2004). "Federated identity is beginning to gain some traction among corporations, according to a survey conducted by Ping Identity, a provider of federated identity management solutions and the founding sponsor of SourceID, an open source community focused on federation efforts, such as SAML, Liberty Alliance and WS-Federation. The survey, gleaned from nearly 100 responses by registered downloaders of SourceID, showed a strong increase of federations in production, rising from 1 percent to 7 percent between the first and second quarters of this year. Over 50 percent of those surveyed thought they would engage in between 1 and 3 federations within the next 24 months. Only 6 percent surveyed anticipated participation in more than 10 federations in the same period. Ease-of-integration and vendor interoperability were cited as the most important characteristics of federation products, with single-sign on (SSO) amongst partners cited as the primary use case desired. Currently, SAML 1.1 is the dominant protocol used for federation. Vendors have announced support for the Liberty Alliance Liberty ID-FF 1.1, but few are shipping in a substantial way, according to Eric Norlin, senior vice president of marketing at Ping Identity. The survey indicated that interest in SAML 2.0 and WS Federation will begin to ramp up significantly in the latter part of 2004 and continue throughout 2005..."

[June 09, 2004] "Google Mulls RSS Support." By Stefanie Olsen and Evan Hansen. In CNET News.com (June 09, 2004). "Google is considering renewing support for the popular RSS Web publishing format in some services. Along with rival Atom, RSS is a leading candidate to form the basis of an industry standard for a new style of Web publishing that lets readers easily compile news headlines on the fly. Were Google to support both RSS and Atom equally, it might help ease growing pains for a swiftly rising movement of Web publishing. It would also restore Google to the status of a neutral party in the midst of a bitter fight between backers of RSS and Atom, who have been divided since last summer when critics of RSS banded together to create the alternative format. Since then, many blog sites and individuals have rallied behind Atom... Google is central to the debate because of its mounting influence in the online community and within Web publishing circles as the owner of Blogger. The Mountain View, Calif.-based company, which is gearing up for a $2.7 billion initial public offering later this year, recently redesigned Blogger with simplified features to help newbie Web surfers publish regular accounts of their lives online, a move to appeal to wider audiences. Google also has plans to introduce a raft of community services, including e-mail discussion groups (Google Groups 2), free Web-based e-mail and search personalization tools, which could eventually tap the syndication format... A slew of feed readers or news aggregators has emerged to take advantage of the technology and spur consumer demand. Newsgator, for example, lets people subscribe to various Web logs and news sites and have the feeds delivered to their e-mail via a plug-in for Microsoft Outlook, at a cost of $29. Topix.net lets people parse news into 150,000 different categories, even down to a ZIP code, and create their own information site. Pluck recently released a set of browser add-ons for Microsoft's Internet Explorer with an RSS reader. Many news readers support both RSS and Atom, although some support only one or the other. Despite the fissure, RSS has been gaining allegiance among many computer makers and online publishers. In recent weeks, Time magazine, Reuters, Variety.com and Smartmoney.com have started supporting the format, syndicating their headlines to news aggregators and individuals..." See also: (1) "RDF Site Summary" | "Really Simple Syndication" (RSS).""Atom Publishing Format and Protocol"; (2) "Atom Publishing Format and Protocol."

[June 01, 2004] "Rights Expression Languages: A Report for the Library of Congress." By Karen Coyle. Commissioned by the US Library of Congress, Network Development and MARC Standards Office. Published February 2004. 53 pages. See the background and introduction provided by Sally H. McCallum. "Rights expression languages (RELs) are part of the technology of digital rights management. Both are recent technologies and still in their formative stages. The first RELs were developed in the late 1990's and none can be considered to be fully deployed at this date (2004). This report provides an analysis of a representative sample of RELs that vary from relatively simple expressions of rights holders' preferences to highly complex components of a trusted systems environment. The four featured RELs are: CreativeCommons, METSRights, Open Digital Rights Language (ODRL), and MPEG-21, Part 5 (MPEG-21/5). The paper develops categories to aid in the analysis of the RELs. The goals and purposes of the RELs are characterized as: (1) expression of copyright, (2) expression of contract or license agreements, (3) control over access and/or use. An understanding of these different purposes can be used to explain many of the differences between these and other RELs. In particular, the degree to which RELs are intended to be machine-actionable is a determinant in the kinds of rights that can be expressed in the REL. A machine-actionable REL must use very precise language and can nearly guarantee compliance with the terms of the machine-readable license. This REL cannot, however, support social or legal concepts like "fair use." On the other hand, broader and less precise RELs must rely on agreement and trust for enforcement, which means that there is a risk that some unauthorized use of the digital resource could occur... The main purpose of this paper is to expose the underlying goals and assumptions of a range of existing rights expression languages, and to establish a taxonomy that will allow us to evaluate RELs in relation to sets of requirements. This taxonomy may also aid in the further development of languages that serve specific or general needs." The author notes in the section 'Business Models of Rights Expression Languages' that the RELs analyzed are "significantly different from each other in terms of their business models — that is, in terms of how they themselves can be licensed and used." Three of the four RELs studied have no license requirements for use: Open Digital Rights Language (ODRL), Creative Commons, and METSRights (METSR). They are open specifications, delivered patent-free by their designers, and are freely downloadable on the Internet. MPEG-21/5 must be purchased from ISO; it is based upon the legally encumbered (patented) XrML(TM) from ContentGuard, recently acquired by Time Warner and Microsoft. General references in "XML and Digital Rights Management (DRM)." [cache]

[June 01, 2004] "Sun Consolidates ID Management Systems." By Jim Wagner. From Internetnews.com (June 01, 2004). "Sun Microsystems has launched three identity management applications that combine its existing product line with technology it acquired from WaveSet in November 2003. The new lines are part of a major product and service announcement that Sun launched Tuesday, which also shines a spotlight on its ID Management systems that have been gaining traction around the globe. Java-based System Identity Manager, System Access Manager and System Directory Server Enterprise Edition will be generally available on July 1st for enterprises looking to incorporate ID management. The technology is used to allow employees, partners and customers access to the company intranet using any number of methods (wireless phone, PC, etc.), securely and allowing access only to pre-determined areas. So, for example, an employee might have rights to several back-end databases and applications for processing orders but a customer or partner would only have access to, say, the front-end order processing application or portal. Officials at the Santa Clara, Calif., software and hardware company are looking to gain market traction with its three products, which are the combination of eight separate Sun and WaveSet applications. They include: (1) Identity Manager provisions and manages individual user accounts, whether the end user is accessing the network by email, phone, device or PC. It also synchronizes user accounts. (2) System Access Manager provides the support for entering the network using the federated ID standards of the Liberty Alliance and Security Assertion Markup Language 1.1 specifications. (3) System Directory Server — the database repository for all the identity policies and information, featuring load-balancing, security and integration with the Microsoft Active Directory..." See the announcement: "Sun Doubles Down on Identity Management Innovations and Alliances Underscore Commitment to Take Lead in Growing $4 Billion Market."